int device_consistency_commitment_create(device_consistency_commitment **commitment, uint32_t generation, ec_public_key_list *identity_key_list, signal_context *global_context) { static const char version[] = "DeviceConsistencyCommitment_V0"; int result = 0; void *digest_context = 0; device_consistency_commitment *result_commitment = 0; ec_public_key_list *sorted_list = 0; uint8_t gen_data[4]; unsigned int list_size; unsigned int i; result_commitment = malloc(sizeof(device_consistency_commitment)); if(!result_commitment) { result = SG_ERR_NOMEM; goto complete; } memset(result_commitment, 0, sizeof(device_consistency_commitment)); SIGNAL_INIT(result_commitment, device_consistency_commitment_destroy); sorted_list = ec_public_key_list_copy(identity_key_list); if(!sorted_list) { result = SG_ERR_NOMEM; goto complete; } ec_public_key_list_sort(sorted_list); result = signal_sha512_digest_init(global_context, &digest_context); if(result < 0) { goto complete; } result = signal_sha512_digest_update(global_context, digest_context, (uint8_t *)version, sizeof(version) - 1); if(result < 0) { goto complete; } gen_data[3] = (uint8_t)(generation); gen_data[2] = (uint8_t)(generation >> 8); gen_data[1] = (uint8_t)(generation >> 16); gen_data[0] = (uint8_t)(generation >> 24); result = signal_sha512_digest_update(global_context, digest_context, gen_data, sizeof(gen_data)); if(result < 0) { goto complete; } list_size = ec_public_key_list_size(sorted_list); for(i = 0; i < list_size; i++) { signal_buffer *key_buffer = 0; ec_public_key *key = ec_public_key_list_at(sorted_list, i); result = ec_public_key_serialize(&key_buffer, key); if(result < 0) { goto complete; } result = signal_sha512_digest_update(global_context, digest_context, signal_buffer_data(key_buffer), signal_buffer_len(key_buffer)); signal_buffer_free(key_buffer); if(result < 0) { goto complete; } } result_commitment->generation = generation; result = signal_sha512_digest_final(global_context, digest_context, &result_commitment->serialized); complete: if(sorted_list) { ec_public_key_list_free(sorted_list); } if(digest_context) { signal_sha512_digest_cleanup(global_context, digest_context); } if(result >= 0) { *commitment = result_commitment; } else { SIGNAL_UNREF(result_commitment); } return result; }
int device_consistency_message_create_from_pair(device_consistency_message **message, device_consistency_commitment *commitment, ec_key_pair *identity_key_pair, signal_context *global_context) { int result = 0; device_consistency_message *result_message = 0; signal_buffer *commitment_buffer = 0; signal_buffer *signature_buffer = 0; signal_buffer *vrf_output_buffer = 0; signal_buffer *serialized_signature_buffer = 0; Textsecure__DeviceConsistencyCodeMessage message_structure = TEXTSECURE__DEVICE_CONSISTENCY_CODE_MESSAGE__INIT; size_t len = 0; uint8_t *data = 0; size_t result_size = 0; /* Create message instance */ result = device_consistency_message_create(&result_message); if(result < 0) { goto complete; } /* Calculate VRF signature */ commitment_buffer = device_consistency_commitment_get_serialized(commitment); result = curve_calculate_vrf_signature(global_context, &signature_buffer, ec_key_pair_get_private(identity_key_pair), signal_buffer_data(commitment_buffer), signal_buffer_len(commitment_buffer)); if(result < 0) { goto complete; } /* Verify VRF signature */ result = curve_verify_vrf_signature(global_context, &vrf_output_buffer, ec_key_pair_get_public(identity_key_pair), signal_buffer_data(commitment_buffer), signal_buffer_len(commitment_buffer), signal_buffer_data(signature_buffer), signal_buffer_len(signature_buffer)); if(result < 0) { goto complete; } result_message->generation = device_consistency_commitment_get_generation(commitment); /* Create and assign the signature */ result = device_consistency_signature_create(&result_message->signature, signal_buffer_data(signature_buffer), signal_buffer_len(signature_buffer), signal_buffer_data(vrf_output_buffer), signal_buffer_len(vrf_output_buffer)); if(result < 0) { goto complete; } serialized_signature_buffer = device_consistency_signature_get_signature(result_message->signature); /* Serialize the message */ message_structure.generation = device_consistency_commitment_get_generation(commitment); message_structure.has_generation = 1; message_structure.signature.data = signal_buffer_data(serialized_signature_buffer); message_structure.signature.len = signal_buffer_len(serialized_signature_buffer); message_structure.has_signature = 1; len = textsecure__device_consistency_code_message__get_packed_size(&message_structure); result_message->serialized = signal_buffer_alloc(len); if(!result_message->serialized) { result = SG_ERR_NOMEM; goto complete; } data = signal_buffer_data(result_message->serialized); result_size = textsecure__device_consistency_code_message__pack(&message_structure, data); if(result_size != len) { result = SG_ERR_INVALID_PROTO_BUF; goto complete; } complete: signal_buffer_free(signature_buffer); signal_buffer_free(vrf_output_buffer); if(result >= 0) { *message = result_message; } else { SIGNAL_UNREF(result_message); } if(result == SG_ERR_INVALID_KEY || result == SG_ERR_VRF_SIG_VERIF_FAILED) { result = SG_ERR_UNKNOWN; } return result; }
END_TEST START_TEST(test_curve25519_signature) { int result; uint8_t aliceIdentityPrivate[] = { 0xc0, 0x97, 0x24, 0x84, 0x12, 0xe5, 0x8b, 0xf0, 0x5d, 0xf4, 0x87, 0x96, 0x82, 0x05, 0x13, 0x27, 0x94, 0x17, 0x8e, 0x36, 0x76, 0x37, 0xf5, 0x81, 0x8f, 0x81, 0xe0, 0xe6, 0xce, 0x73, 0xe8, 0x65}; uint8_t aliceIdentityPublic[] = { 0x05, 0xab, 0x7e, 0x71, 0x7d, 0x4a, 0x16, 0x3b, 0x7d, 0x9a, 0x1d, 0x80, 0x71, 0xdf, 0xe9, 0xdc, 0xf8, 0xcd, 0xcd, 0x1c, 0xea, 0x33, 0x39, 0xb6, 0x35, 0x6b, 0xe8, 0x4d, 0x88, 0x7e, 0x32, 0x2c, 0x64}; uint8_t aliceEphemeralPublic[] = { 0x05, 0xed, 0xce, 0x9d, 0x9c, 0x41, 0x5c, 0xa7, 0x8c, 0xb7, 0x25, 0x2e, 0x72, 0xc2, 0xc4, 0xa5, 0x54, 0xd3, 0xeb, 0x29, 0x48, 0x5a, 0x0e, 0x1d, 0x50, 0x31, 0x18, 0xd1, 0xa8, 0x2d, 0x99, 0xfb, 0x4a}; uint8_t aliceSignature[] = { 0x5d, 0xe8, 0x8c, 0xa9, 0xa8, 0x9b, 0x4a, 0x11, 0x5d, 0xa7, 0x91, 0x09, 0xc6, 0x7c, 0x9c, 0x74, 0x64, 0xa3, 0xe4, 0x18, 0x02, 0x74, 0xf1, 0xcb, 0x8c, 0x63, 0xc2, 0x98, 0x4e, 0x28, 0x6d, 0xfb, 0xed, 0xe8, 0x2d, 0xeb, 0x9d, 0xcd, 0x9f, 0xae, 0x0b, 0xfb, 0xb8, 0x21, 0x56, 0x9b, 0x3d, 0x90, 0x01, 0xbd, 0x81, 0x30, 0xcd, 0x11, 0xd4, 0x86, 0xce, 0xf0, 0x47, 0xbd, 0x60, 0xb8, 0x6e, 0x88}; ec_private_key *alice_private_key = 0; ec_public_key *alice_public_key = 0; ec_public_key *alice_ephemeral = 0; /* Initialize Alice's private key */ result = curve_decode_private_point(&alice_private_key, aliceIdentityPrivate, sizeof(aliceIdentityPrivate), global_context); ck_assert_int_eq(result, 0); ck_assert_ptr_ne(alice_private_key, 0); /* Initialize Alice's public key */ result = curve_decode_point(&alice_public_key, aliceIdentityPublic, sizeof(aliceIdentityPublic), global_context); ck_assert_int_eq(result, 0); ck_assert_ptr_ne(alice_public_key, 0); /* Initialize Alice's ephemeral key */ result = curve_decode_point(&alice_ephemeral, aliceEphemeralPublic, sizeof(aliceEphemeralPublic), global_context); ck_assert_int_eq(result, 0); ck_assert_ptr_ne(alice_ephemeral, 0); result = curve_verify_signature(alice_public_key, aliceEphemeralPublic, sizeof(aliceEphemeralPublic), aliceSignature, sizeof(aliceSignature)); ck_assert_msg(result == 1, "signature verification failed"); uint8_t modifiedSignature[sizeof(aliceSignature)]; int i; for(i = 0; i < sizeof(aliceSignature); i++) { memcpy(modifiedSignature, aliceSignature, sizeof(aliceSignature)); modifiedSignature[i] ^= 0x01; result = curve_verify_signature(alice_public_key, aliceEphemeralPublic, sizeof(aliceEphemeralPublic), modifiedSignature, sizeof(modifiedSignature)); ck_assert_msg(result != 1, "signature verification succeeded"); } /* Cleanup */ SIGNAL_UNREF(alice_private_key); SIGNAL_UNREF(alice_public_key); SIGNAL_UNREF(alice_ephemeral); }
int scannable_fingerprint_deserialize(scannable_fingerprint **scannable, const uint8_t *data, size_t len, signal_context *global_context) { int result = 0; Textsecure__CombinedFingerprint *combined_fingerprint = 0; uint32_t version = 0; char *local_stable_identifier = 0; ec_public_key *local_identity_key = 0; char *remote_stable_identifier = 0; ec_public_key *remote_identity_key = 0; combined_fingerprint = textsecure__combined_fingerprint__unpack(0, len, data); if(!combined_fingerprint) { result = SG_ERR_INVALID_PROTO_BUF; goto complete; } if(combined_fingerprint->has_version) { version = combined_fingerprint->version; } if(combined_fingerprint->localfingerprint) { if(combined_fingerprint->localfingerprint->has_identifier) { local_stable_identifier = signal_protocol_str_deserialize_protobuf(&combined_fingerprint->localfingerprint->identifier); if(!local_stable_identifier) { result = SG_ERR_NOMEM; goto complete; } } if(combined_fingerprint->localfingerprint->has_publickey) { result = curve_decode_point(&local_identity_key, combined_fingerprint->localfingerprint->publickey.data, combined_fingerprint->localfingerprint->publickey.len, global_context); if(result < 0) { goto complete; } } } if(combined_fingerprint->remotefingerprint) { if(combined_fingerprint->remotefingerprint->has_identifier) { remote_stable_identifier = signal_protocol_str_deserialize_protobuf(&combined_fingerprint->remotefingerprint->identifier); if(!remote_stable_identifier) { result = SG_ERR_NOMEM; goto complete; } } if(combined_fingerprint->remotefingerprint->has_publickey) { result = curve_decode_point(&remote_identity_key, combined_fingerprint->remotefingerprint->publickey.data, combined_fingerprint->remotefingerprint->publickey.len, global_context); if(result < 0) { goto complete; } } } result = scannable_fingerprint_create(scannable, version, local_stable_identifier, local_identity_key, remote_stable_identifier, remote_identity_key); complete: if(combined_fingerprint) { textsecure__combined_fingerprint__free_unpacked(combined_fingerprint, 0); } if(local_stable_identifier) { free(local_stable_identifier); } if(local_identity_key) { SIGNAL_UNREF(local_identity_key); } if(remote_stable_identifier) { free(remote_stable_identifier); } if(remote_identity_key) { SIGNAL_UNREF(remote_identity_key); } return result; }
int ratcheting_session_alice_initialize( session_state *state, alice_signal_protocol_parameters *parameters, signal_context *global_context) { int result = 0; uint8_t *agreement = 0; int agreement_len = 0; ec_key_pair *sending_ratchet_key = 0; ratchet_root_key *derived_root = 0; ratchet_chain_key *derived_chain = 0; ratchet_root_key *sending_chain_root = 0; ratchet_chain_key *sending_chain_key = 0; struct vpool vp; uint8_t *secret = 0; size_t secret_len = 0; uint8_t discontinuity_data[32]; assert(state); assert(parameters); assert(global_context); vpool_init(&vp, 1024, 0); result = curve_generate_key_pair(global_context, &sending_ratchet_key); if(result < 0) { goto complete; } memset(discontinuity_data, 0xFF, sizeof(discontinuity_data)); if(!vpool_insert(&vp, vpool_get_length(&vp), discontinuity_data, sizeof(discontinuity_data))) { result = SG_ERR_NOMEM; goto complete; } agreement_len = curve_calculate_agreement(&agreement, parameters->their_signed_pre_key, parameters->our_identity_key->private_key); if(agreement_len < 0) { result = agreement_len; goto complete; } if(vpool_insert(&vp, vpool_get_length(&vp), agreement, (size_t)agreement_len)) { free(agreement); agreement = 0; agreement_len = 0; } else { result = SG_ERR_NOMEM; goto complete; } agreement_len = curve_calculate_agreement(&agreement, parameters->their_identity_key, ec_key_pair_get_private(parameters->our_base_key)); if(agreement_len < 0) { result = agreement_len; goto complete; } if(vpool_insert(&vp, vpool_get_length(&vp), agreement, (size_t)agreement_len)) { free(agreement); agreement = 0; agreement_len = 0; } else { result = SG_ERR_NOMEM; goto complete; } agreement_len = curve_calculate_agreement(&agreement, parameters->their_signed_pre_key, ec_key_pair_get_private(parameters->our_base_key)); if(agreement_len < 0) { result = agreement_len; goto complete; } if(vpool_insert(&vp, vpool_get_length(&vp), agreement, (size_t)agreement_len)) { free(agreement); agreement = 0; agreement_len = 0; } else { result = SG_ERR_NOMEM; goto complete; } if(parameters->their_one_time_pre_key) { agreement_len = curve_calculate_agreement(&agreement, parameters->their_one_time_pre_key, ec_key_pair_get_private(parameters->our_base_key)); if(agreement_len < 0) { result = agreement_len; goto complete; } if(vpool_insert(&vp, vpool_get_length(&vp), agreement, (size_t)agreement_len)) { free(agreement); agreement = 0; agreement_len = 0; } else { result = SG_ERR_NOMEM; goto complete; } } if(vpool_is_empty(&vp)) { result = SG_ERR_UNKNOWN; goto complete; } secret = vpool_get_buf(&vp); secret_len = vpool_get_length(&vp); result = ratcheting_session_calculate_derived_keys(&derived_root, &derived_chain, secret, secret_len, global_context); if(result < 0) { goto complete; } result = ratchet_root_key_create_chain(derived_root, &sending_chain_root, &sending_chain_key, parameters->their_ratchet_key, ec_key_pair_get_private(sending_ratchet_key)); if(result < 0) { goto complete; } complete: if(result >= 0) { session_state_set_session_version(state, CIPHERTEXT_CURRENT_VERSION); session_state_set_remote_identity_key(state, parameters->their_identity_key); session_state_set_local_identity_key(state, parameters->our_identity_key->public_key); session_state_add_receiver_chain(state, parameters->their_ratchet_key, derived_chain); session_state_set_sender_chain(state, sending_ratchet_key, sending_chain_key); session_state_set_root_key(state, sending_chain_root); } vpool_final(&vp); if(agreement) { free(agreement); } if(sending_ratchet_key) { SIGNAL_UNREF(sending_ratchet_key); } if(derived_root) { SIGNAL_UNREF(derived_root); } if(derived_chain) { SIGNAL_UNREF(derived_chain); } if(sending_chain_root) { SIGNAL_UNREF(sending_chain_root); } if(sending_chain_key) { SIGNAL_UNREF(sending_chain_key); } return result; }
END_TEST START_TEST(test_curve25519_random_agreements) { int result; int i; ec_key_pair *alice_key_pair = 0; ec_public_key *alice_public_key = 0; ec_private_key *alice_private_key = 0; ec_key_pair *bob_key_pair = 0; ec_public_key *bob_public_key = 0; ec_private_key *bob_private_key = 0; uint8_t *shared_alice = 0; uint8_t *shared_bob = 0; signal_context *context; signal_context_create(&context, 0); setup_test_crypto_provider(context); for(i = 0; i < 50; i++) { /* Generate Alice's key pair */ result = curve_generate_key_pair(context, &alice_key_pair); ck_assert_int_eq(result, 0); alice_public_key = ec_key_pair_get_public(alice_key_pair); alice_private_key = ec_key_pair_get_private(alice_key_pair); ck_assert_ptr_ne(alice_public_key, 0); ck_assert_ptr_ne(alice_private_key, 0); /* Generate Bob's key pair */ result = curve_generate_key_pair(context, &bob_key_pair); ck_assert_int_eq(result, 0); bob_public_key = ec_key_pair_get_public(bob_key_pair); bob_private_key = ec_key_pair_get_private(bob_key_pair); ck_assert_ptr_ne(bob_public_key, 0); ck_assert_ptr_ne(bob_private_key, 0); /* Calculate Alice's key agreement */ result = curve_calculate_agreement(&shared_alice, bob_public_key, alice_private_key); ck_assert_int_eq(result, 32); ck_assert_ptr_ne(shared_alice, 0); /* Calculate Bob's key agreement */ result = curve_calculate_agreement(&shared_bob, alice_public_key, bob_private_key); ck_assert_int_eq(result, 32); ck_assert_ptr_ne(shared_bob, 0); /* Assert that key agreements match */ ck_assert_int_eq(memcmp(shared_alice, shared_bob, 32), 0); /* Cleanup */ if(shared_alice) { free(shared_alice); } if(shared_bob) { free(shared_bob); } SIGNAL_UNREF(alice_key_pair); SIGNAL_UNREF(bob_key_pair); alice_key_pair = 0; bob_key_pair = 0; alice_public_key = 0; alice_private_key = 0; bob_public_key = 0; bob_private_key = 0; shared_alice = 0; shared_bob = 0; } signal_context_destroy(context); }
int ratchet_root_key_create_chain(ratchet_root_key *root_key, ratchet_root_key **new_root_key, ratchet_chain_key **new_chain_key, ec_public_key *their_ratchet_key, ec_private_key *our_ratchet_key_private) { static const char key_info[] = "WhisperRatchet"; int result = 0; ssize_t result_size = 0; uint8_t *shared_secret = 0; size_t shared_secret_len = 0; uint8_t *derived_secret = 0; ratchet_root_key *new_root_key_result = 0; ratchet_chain_key *new_chain_key_result = 0; if(!their_ratchet_key || !our_ratchet_key_private) { return SG_ERR_INVAL; } result = curve_calculate_agreement(&shared_secret, their_ratchet_key, our_ratchet_key_private); if(result < 0) { signal_log(root_key->global_context, SG_LOG_WARNING, "curve_calculate_agreement failed"); goto complete; } shared_secret_len = (size_t)result; result_size = hkdf_derive_secrets(root_key->kdf, &derived_secret, shared_secret, shared_secret_len, root_key->key, root_key->key_len, (uint8_t *)key_info, sizeof(key_info) - 1, DERIVED_ROOT_SECRETS_SIZE); if(result_size < 0) { result = (int)result_size; signal_log(root_key->global_context, SG_LOG_WARNING, "hkdf_derive_secrets failed"); goto complete; } else if(result_size != DERIVED_ROOT_SECRETS_SIZE) { result = SG_ERR_UNKNOWN; signal_log(root_key->global_context, SG_LOG_WARNING, "hkdf_derive_secrets size mismatch"); goto complete; } result = ratchet_root_key_create(&new_root_key_result, root_key->kdf, derived_secret, 32, root_key->global_context); if(result < 0) { signal_log(root_key->global_context, SG_LOG_WARNING, "ratchet_root_key_create failed"); goto complete; } result = ratchet_chain_key_create(&new_chain_key_result, root_key->kdf, derived_secret + 32, 32, 0, root_key->global_context); if(result < 0) { signal_log(root_key->global_context, SG_LOG_WARNING, "ratchet_chain_key_create failed"); goto complete; } complete: if(shared_secret) { free(shared_secret); } if(derived_secret) { free(derived_secret); } if(result < 0) { if(new_root_key_result) { SIGNAL_UNREF(new_root_key_result); } if(new_chain_key_result) { SIGNAL_UNREF(new_chain_key_result); } return result; } else { *new_root_key = new_root_key_result; *new_chain_key = new_chain_key_result; return 0; } }
static int session_cipher_decrypt_from_record_and_signal_message(session_cipher *cipher, session_record *record, signal_message *ciphertext, signal_buffer **plaintext) { int result = 0; signal_buffer *result_buf = 0; session_state *state = 0; session_state *state_copy = 0; session_record_state_node *previous_states_node = 0; assert(cipher); signal_lock(cipher->global_context); state = session_record_get_state(record); if(state) { result = session_state_copy(&state_copy, state, cipher->global_context); if(result < 0) { goto complete; } //TODO Collect and log invalid message errors if totally unsuccessful result = session_cipher_decrypt_from_state_and_signal_message(cipher, state_copy, ciphertext, &result_buf); if(result < 0 && result != SG_ERR_INVALID_MESSAGE) { goto complete; } if(result >= SG_SUCCESS) { session_record_set_state(record, state_copy); goto complete; } SIGNAL_UNREF(state_copy); } previous_states_node = session_record_get_previous_states_head(record); while(previous_states_node) { state = session_record_get_previous_states_element(previous_states_node); result = session_state_copy(&state_copy, state, cipher->global_context); if(result < 0) { goto complete; } result = session_cipher_decrypt_from_state_and_signal_message(cipher, state_copy, ciphertext, &result_buf); if(result < 0 && result != SG_ERR_INVALID_MESSAGE) { goto complete; } if(result >= SG_SUCCESS) { session_record_get_previous_states_remove(record, previous_states_node); result = session_record_promote_state(record, state_copy); goto complete; } SIGNAL_UNREF(state_copy); previous_states_node = session_record_get_previous_states_next(previous_states_node); } signal_log(cipher->global_context, SG_LOG_WARNING, "No valid sessions"); result = SG_ERR_INVALID_MESSAGE; complete: SIGNAL_UNREF(state_copy); if(result >= 0) { *plaintext = result_buf; } else { signal_buffer_free(result_buf); } signal_unlock(cipher->global_context); return result; }
int session_cipher_encrypt(session_cipher *cipher, const uint8_t *padded_message, size_t padded_message_len, ciphertext_message **encrypted_message) { int result = 0; session_record *record = 0; session_state *state = 0; ratchet_chain_key *chain_key = 0; ratchet_chain_key *next_chain_key = 0; ratchet_message_keys message_keys; ec_public_key *sender_ephemeral = 0; uint32_t previous_counter = 0; uint32_t session_version = 0; signal_buffer *ciphertext = 0; uint32_t chain_key_index = 0; ec_public_key *local_identity_key = 0; ec_public_key *remote_identity_key = 0; signal_message *message = 0; pre_key_signal_message *pre_key_message = 0; uint8_t *ciphertext_data = 0; size_t ciphertext_len = 0; assert(cipher); signal_lock(cipher->global_context); if(cipher->inside_callback == 1) { result = SG_ERR_INVAL; goto complete; } result = signal_protocol_session_load_session(cipher->store, &record, cipher->remote_address); if(result < 0) { goto complete; } state = session_record_get_state(record); if(!state) { result = SG_ERR_UNKNOWN; goto complete; } chain_key = session_state_get_sender_chain_key(state); if(!chain_key) { result = SG_ERR_UNKNOWN; goto complete; } result = ratchet_chain_key_get_message_keys(chain_key, &message_keys); if(result < 0) { goto complete; } sender_ephemeral = session_state_get_sender_ratchet_key(state); if(!sender_ephemeral) { result = SG_ERR_UNKNOWN; goto complete; } previous_counter = session_state_get_previous_counter(state); session_version = session_state_get_session_version(state); result = session_cipher_get_ciphertext(cipher, &ciphertext, session_version, &message_keys, padded_message, padded_message_len); if(result < 0) { goto complete; } ciphertext_data = signal_buffer_data(ciphertext); ciphertext_len = signal_buffer_len(ciphertext); chain_key_index = ratchet_chain_key_get_index(chain_key); local_identity_key = session_state_get_local_identity_key(state); if(!local_identity_key) { result = SG_ERR_UNKNOWN; goto complete; } remote_identity_key = session_state_get_remote_identity_key(state); if(!remote_identity_key) { result = SG_ERR_UNKNOWN; goto complete; } result = signal_message_create(&message, session_version, message_keys.mac_key, sizeof(message_keys.mac_key), sender_ephemeral, chain_key_index, previous_counter, ciphertext_data, ciphertext_len, local_identity_key, remote_identity_key, cipher->global_context); if(result < 0) { goto complete; } if(session_state_has_unacknowledged_pre_key_message(state) == 1) { uint32_t local_registration_id = session_state_get_local_registration_id(state); int has_pre_key_id = 0; uint32_t pre_key_id = 0; uint32_t signed_pre_key_id; ec_public_key *base_key; if(session_state_unacknowledged_pre_key_message_has_pre_key_id(state)) { has_pre_key_id = 1; pre_key_id = session_state_unacknowledged_pre_key_message_get_pre_key_id(state); } signed_pre_key_id = session_state_unacknowledged_pre_key_message_get_signed_pre_key_id(state); base_key = session_state_unacknowledged_pre_key_message_get_base_key(state); if(!base_key) { result = SG_ERR_UNKNOWN; goto complete; } result = pre_key_signal_message_create(&pre_key_message, session_version, local_registration_id, (has_pre_key_id ? &pre_key_id : 0), signed_pre_key_id, base_key, local_identity_key, message, cipher->global_context); if(result < 0) { goto complete; } SIGNAL_UNREF(message); message = 0; } result = ratchet_chain_key_create_next(chain_key, &next_chain_key); if(result < 0) { goto complete; } result = session_state_set_sender_chain_key(state, next_chain_key); if(result < 0) { goto complete; } result = signal_protocol_session_store_session(cipher->store, cipher->remote_address, record); complete: if(result >= 0) { if(pre_key_message) { *encrypted_message = (ciphertext_message *)pre_key_message; } else { *encrypted_message = (ciphertext_message *)message; } } else { SIGNAL_UNREF(pre_key_message); SIGNAL_UNREF(message); } signal_buffer_free(ciphertext); SIGNAL_UNREF(next_chain_key); SIGNAL_UNREF(record); signal_explicit_bzero(&message_keys, sizeof(ratchet_message_keys)); signal_unlock(cipher->global_context); return result; }
END_TEST START_TEST(test_serialize_pre_key_signal_message) { int result = 0; static const char ciphertext[] = "WhisperCipherText"; ec_public_key *sender_ratchet_key = create_test_ec_public_key(global_context); ec_public_key *sender_identity_key = create_test_ec_public_key(global_context); ec_public_key *receiver_identity_key = create_test_ec_public_key(global_context); ec_public_key *base_key = create_test_ec_public_key(global_context); ec_public_key *identity_key = create_test_ec_public_key(global_context); uint8_t mac_key[RATCHET_MAC_KEY_LENGTH]; memset(mac_key, 1, sizeof(mac_key)); signal_message *message = 0; pre_key_signal_message *pre_key_message = 0; pre_key_signal_message *result_pre_key_message = 0; result = signal_message_create(&message, 3, mac_key, sizeof(mac_key), sender_ratchet_key, 2, /* counter */ 1, /* previous counter */ (uint8_t *)ciphertext, sizeof(ciphertext) - 1, sender_identity_key, receiver_identity_key, global_context); ck_assert_int_eq(result, 0); uint32_t pre_key_id = 56; result = pre_key_signal_message_create(&pre_key_message, 3, /* message version */ 42, /* registration ID */ &pre_key_id, /* pre key ID */ 72, /* signed pre key ID */ base_key, identity_key, message, global_context); ck_assert_int_eq(result, 0); signal_buffer *serialized = ciphertext_message_get_serialized((ciphertext_message *)pre_key_message); ck_assert_ptr_ne(serialized, 0); result = pre_key_signal_message_deserialize(&result_pre_key_message, signal_buffer_data(serialized), signal_buffer_len(serialized), global_context); ck_assert_int_eq(result, 0); int version1 = pre_key_signal_message_get_message_version(pre_key_message); int version2 = pre_key_signal_message_get_message_version(result_pre_key_message); ck_assert_int_eq(version1, version2); ec_public_key *identity_key1 = pre_key_signal_message_get_identity_key(pre_key_message); ec_public_key *identity_key2 = pre_key_signal_message_get_identity_key(result_pre_key_message); ck_assert_int_eq(ec_public_key_compare(identity_key1, identity_key2), 0); int registration_id1 = pre_key_signal_message_get_registration_id(pre_key_message); int registration_id2 = pre_key_signal_message_get_registration_id(result_pre_key_message); ck_assert_int_eq(registration_id1, registration_id2); int has_pre_key_id1 = pre_key_signal_message_has_pre_key_id(pre_key_message); int has_pre_key_id2 = pre_key_signal_message_has_pre_key_id(result_pre_key_message); ck_assert_int_eq(has_pre_key_id1, has_pre_key_id2); if(has_pre_key_id1) { int pre_key_id1 = pre_key_signal_message_get_pre_key_id(pre_key_message); int pre_key_id2 = pre_key_signal_message_get_pre_key_id(result_pre_key_message); ck_assert_int_eq(pre_key_id1, pre_key_id2); } int signed_pre_key_id1 = pre_key_signal_message_get_signed_pre_key_id(pre_key_message); int signed_pre_key_id2 = pre_key_signal_message_get_signed_pre_key_id(result_pre_key_message); ck_assert_int_eq(signed_pre_key_id1, signed_pre_key_id2); ec_public_key *base_key1 = pre_key_signal_message_get_base_key(pre_key_message); ec_public_key *base_key2 = pre_key_signal_message_get_base_key(result_pre_key_message); ck_assert_int_eq(ec_public_key_compare(base_key1, base_key2), 0); signal_message *message1 = pre_key_signal_message_get_signal_message(pre_key_message); signal_message *message2 = pre_key_signal_message_get_signal_message(result_pre_key_message); compare_signal_messages(message1, message2); /* Cleanup */ SIGNAL_UNREF(message); SIGNAL_UNREF(result_pre_key_message); SIGNAL_UNREF(pre_key_message); SIGNAL_UNREF(sender_ratchet_key); SIGNAL_UNREF(sender_identity_key); SIGNAL_UNREF(receiver_identity_key); SIGNAL_UNREF(base_key); SIGNAL_UNREF(identity_key); }
static int session_cipher_get_or_create_message_keys(ratchet_message_keys *message_keys, session_state *state, ec_public_key *their_ephemeral, ratchet_chain_key *chain_key, uint32_t counter, signal_context *global_context) { int result = 0; ratchet_chain_key *cur_chain_key = 0; ratchet_chain_key *next_chain_key = 0; ratchet_message_keys message_keys_result; if(ratchet_chain_key_get_index(chain_key) > counter) { result = session_state_remove_message_keys(state, &message_keys_result, their_ephemeral, counter); if(result == 1) { result = 0; goto complete; } signal_log(global_context, SG_LOG_WARNING, "Received message with old counter: %d, %d", ratchet_chain_key_get_index(chain_key), counter); result = SG_ERR_DUPLICATE_MESSAGE; goto complete; } if(counter - ratchet_chain_key_get_index(chain_key) > 2000) { signal_log(global_context, SG_LOG_WARNING, "Over 2000 messages into the future!"); result = SG_ERR_INVALID_MESSAGE; goto complete; } cur_chain_key = chain_key; SIGNAL_REF(cur_chain_key); while(ratchet_chain_key_get_index(cur_chain_key) < counter) { result = ratchet_chain_key_get_message_keys(cur_chain_key, &message_keys_result); if(result < 0) { goto complete; } result = session_state_set_message_keys(state, their_ephemeral, &message_keys_result); if(result < 0) { goto complete; } result = ratchet_chain_key_create_next(cur_chain_key, &next_chain_key); if(result < 0) { goto complete; } SIGNAL_UNREF(cur_chain_key); cur_chain_key = next_chain_key; next_chain_key = 0; } result = ratchet_chain_key_create_next(cur_chain_key, &next_chain_key); if(result < 0) { goto complete; } result = session_state_set_receiver_chain_key(state, their_ephemeral, next_chain_key); if(result < 0) { goto complete; } result = ratchet_chain_key_get_message_keys(cur_chain_key, &message_keys_result); if(result < 0) { goto complete; } complete: if(result >= 0) { memcpy(message_keys, &message_keys_result, sizeof(ratchet_message_keys)); } SIGNAL_UNREF(cur_chain_key); SIGNAL_UNREF(next_chain_key); signal_explicit_bzero(&message_keys_result, sizeof(ratchet_message_keys)); return result; }
static int session_cipher_get_or_create_chain_key(session_cipher *cipher, ratchet_chain_key **chain_key, session_state *state, ec_public_key *their_ephemeral) { int result = 0; ratchet_chain_key *result_key = 0; ratchet_root_key *receiver_root_key = 0; ratchet_chain_key *receiver_chain_key = 0; ratchet_root_key *sender_root_key = 0; ratchet_chain_key *sender_chain_key = 0; ec_key_pair *our_new_ephemeral = 0; ratchet_root_key *root_key = 0; ec_key_pair *our_ephemeral = 0; ratchet_chain_key *previous_sender_chain_key = 0; uint32_t index = 0; result_key = session_state_get_receiver_chain_key(state, their_ephemeral); if(result_key) { SIGNAL_REF(result_key); goto complete; } root_key = session_state_get_root_key(state); if(!root_key) { result = SG_ERR_UNKNOWN; goto complete; } our_ephemeral = session_state_get_sender_ratchet_key_pair(state); if(!our_ephemeral) { result = SG_ERR_UNKNOWN; goto complete; } result = ratchet_root_key_create_chain(root_key, &receiver_root_key, &receiver_chain_key, their_ephemeral, ec_key_pair_get_private(our_ephemeral)); if(result < 0) { goto complete; } result = curve_generate_key_pair(cipher->global_context, &our_new_ephemeral); if(result < 0) { goto complete; } result = ratchet_root_key_create_chain(receiver_root_key, &sender_root_key, &sender_chain_key, their_ephemeral, ec_key_pair_get_private(our_new_ephemeral)); if(result < 0) { goto complete; } session_state_set_root_key(state, sender_root_key); result = session_state_add_receiver_chain(state, their_ephemeral, receiver_chain_key); if(result < 0) { goto complete; } previous_sender_chain_key = session_state_get_sender_chain_key(state); if(!previous_sender_chain_key) { result = SG_ERR_UNKNOWN; goto complete; } index = ratchet_chain_key_get_index(previous_sender_chain_key); if(index > 0) { --index; } session_state_set_previous_counter(state, index); session_state_set_sender_chain(state, our_new_ephemeral, sender_chain_key); result_key = receiver_chain_key; SIGNAL_REF(result_key); complete: SIGNAL_UNREF(receiver_root_key); SIGNAL_UNREF(receiver_chain_key); SIGNAL_UNREF(sender_root_key); SIGNAL_UNREF(sender_chain_key); SIGNAL_UNREF(our_new_ephemeral); if(result >= 0) { *chain_key = result_key; } else { SIGNAL_UNREF(result_key); } return result; }
static int session_cipher_decrypt_from_state_and_signal_message(session_cipher *cipher, session_state *state, signal_message *ciphertext, signal_buffer **plaintext) { int result = 0; signal_buffer *result_buf = 0; ec_public_key *their_ephemeral = 0; uint32_t counter = 0; ratchet_chain_key *chain_key = 0; ratchet_message_keys message_keys; uint8_t message_version = 0; uint32_t session_version = 0; ec_public_key *remote_identity_key = 0; ec_public_key *local_identity_key = 0; signal_buffer *ciphertext_body = 0; if(!session_state_has_sender_chain(state)) { signal_log(cipher->global_context, SG_LOG_WARNING, "Uninitialized session!"); result = SG_ERR_INVALID_MESSAGE; goto complete; } message_version = signal_message_get_message_version(ciphertext); session_version = session_state_get_session_version(state); if(message_version != session_version) { signal_log(cipher->global_context, SG_LOG_WARNING, "Message version %d, but session version %d", message_version, session_version); result = SG_ERR_INVALID_MESSAGE; goto complete; } their_ephemeral = signal_message_get_sender_ratchet_key(ciphertext); if(!their_ephemeral) { result = SG_ERR_UNKNOWN; goto complete; } counter = signal_message_get_counter(ciphertext); result = session_cipher_get_or_create_chain_key(cipher, &chain_key, state, their_ephemeral); if(result < 0) { goto complete; } result = session_cipher_get_or_create_message_keys(&message_keys, state, their_ephemeral, chain_key, counter, cipher->global_context); if(result < 0) { goto complete; } remote_identity_key = session_state_get_remote_identity_key(state); if(!remote_identity_key) { result = SG_ERR_UNKNOWN; goto complete; } local_identity_key = session_state_get_local_identity_key(state); if(!local_identity_key) { result = SG_ERR_UNKNOWN; goto complete; } result = signal_message_verify_mac(ciphertext, message_version, remote_identity_key, local_identity_key, message_keys.mac_key, sizeof(message_keys.mac_key), cipher->global_context); if(result != 1) { if(result == 0) { signal_log(cipher->global_context, SG_LOG_WARNING, "Message mac not verified"); result = SG_ERR_INVALID_MESSAGE; } else if(result < 0) { signal_log(cipher->global_context, SG_LOG_WARNING, "Error attempting to verify message mac"); } goto complete; } ciphertext_body = signal_message_get_body(ciphertext); if(!ciphertext_body) { signal_log(cipher->global_context, SG_LOG_WARNING, "Message body does not exist"); result = SG_ERR_INVALID_MESSAGE; goto complete; } result = session_cipher_get_plaintext(cipher, &result_buf, message_version, &message_keys, signal_buffer_data(ciphertext_body), signal_buffer_len(ciphertext_body)); if(result < 0) { goto complete; } session_state_clear_unacknowledged_pre_key_message(state); complete: SIGNAL_UNREF(chain_key); if(result >= 0) { *plaintext = result_buf; } else { signal_buffer_free(result_buf); } signal_explicit_bzero(&message_keys, sizeof(ratchet_message_keys)); return result; }
int device_consistency_message_create_from_serialized(device_consistency_message **message, device_consistency_commitment *commitment, const uint8_t *serialized_data, size_t serialized_len, ec_public_key *identity_key, signal_context *global_context) { int result = 0; device_consistency_message *result_message = 0; Textsecure__DeviceConsistencyCodeMessage *message_structure = 0; signal_buffer *commitment_buffer = 0; signal_buffer *vrf_output_buffer = 0; /* Create message instance */ result = device_consistency_message_create(&result_message); if(result < 0) { goto complete; } /* Deserialize the message */ message_structure = textsecure__device_consistency_code_message__unpack(0, serialized_len, serialized_data); if(!message_structure) { result = SG_ERR_INVALID_PROTO_BUF; goto complete; } if(!message_structure->has_generation || !message_structure->has_signature) { result = SG_ERR_INVALID_PROTO_BUF; goto complete; } /* Verify VRF signature */ commitment_buffer = device_consistency_commitment_get_serialized(commitment); result = curve_verify_vrf_signature(global_context, &vrf_output_buffer, identity_key, signal_buffer_data(commitment_buffer), signal_buffer_len(commitment_buffer), message_structure->signature.data, message_structure->signature.len); if(result < 0) { goto complete; } /* Assign the message fields */ result_message->generation = message_structure->generation; result = device_consistency_signature_create(&result_message->signature, message_structure->signature.data, message_structure->signature.len, signal_buffer_data(vrf_output_buffer), signal_buffer_len(vrf_output_buffer)); if(result < 0) { goto complete; } result_message->serialized = signal_buffer_create(serialized_data, serialized_len); if(!result_message->serialized) { result = SG_ERR_NOMEM; } complete: if(message_structure) { textsecure__device_consistency_code_message__free_unpacked(message_structure, 0); } signal_buffer_free(vrf_output_buffer); if(result >= 0) { *message = result_message; } else { SIGNAL_UNREF(result_message); } if(result == SG_ERR_INVALID_PROTO_BUF || result == SG_ERR_INVALID_KEY || result == SG_ERR_VRF_SIG_VERIF_FAILED) { result = SG_ERR_INVALID_MESSAGE; } return result; }
int ratcheting_session_calculate_derived_keys(ratchet_root_key **root_key, ratchet_chain_key **chain_key, uint8_t *secret, size_t secret_len, signal_context *global_context) { int result = 0; ssize_t result_size = 0; hkdf_context *kdf = 0; ratchet_root_key *root_key_result = 0; ratchet_chain_key *chain_key_result = 0; uint8_t *output = 0; uint8_t salt[HASH_OUTPUT_SIZE]; static const char key_info[] = "WhisperText"; result = hkdf_create(&kdf, 3, global_context); if(result < 0) { goto complete; } memset(salt, 0, sizeof(salt)); result_size = hkdf_derive_secrets(kdf, &output, secret, secret_len, salt, sizeof(salt), (uint8_t *)key_info, sizeof(key_info) - 1, 64); if(result_size != 64) { result = SG_ERR_UNKNOWN; goto complete; } result = ratchet_root_key_create(&root_key_result, kdf, output, 32, global_context); if(result < 0) { goto complete; } result = ratchet_chain_key_create(&chain_key_result, kdf, output + 32, 32, 0, global_context); if(result < 0) { goto complete; } complete: if(kdf) { SIGNAL_UNREF(kdf); } if(output) { free(output); } if(result < 0) { if(root_key_result) { SIGNAL_UNREF(root_key_result); } if(chain_key_result) { SIGNAL_UNREF(chain_key_result); } } else { *root_key = root_key_result; *chain_key = chain_key_result; } return result; }
int displayable_fingerprint_create(displayable_fingerprint **displayable, const char *local_fingerprint, const char *remote_fingerprint) { int result = 0; size_t local_len = 0; size_t remote_len = 0; displayable_fingerprint *result_displayable = 0; char *display_text = 0; if(!local_fingerprint || !remote_fingerprint) { return SG_ERR_INVAL; } result_displayable = malloc(sizeof(displayable_fingerprint)); if(!result_displayable) { return SG_ERR_NOMEM; } memset(result_displayable, 0, sizeof(displayable_fingerprint)); SIGNAL_INIT(result_displayable, displayable_fingerprint_destroy); result_displayable->local_fingerprint = strdup(local_fingerprint); if(!result_displayable->local_fingerprint) { result = SG_ERR_NOMEM; goto complete; } result_displayable->remote_fingerprint = strdup(remote_fingerprint); if(!result_displayable->remote_fingerprint) { result = SG_ERR_NOMEM; goto complete; } local_len = strlen(local_fingerprint); remote_len = strlen(remote_fingerprint); display_text = malloc(local_len + remote_len + 1); if(!display_text) { result = SG_ERR_NOMEM; goto complete; } if(strcmp(local_fingerprint, remote_fingerprint) <= 0) { memcpy(display_text, local_fingerprint, local_len); memcpy(display_text + local_len, remote_fingerprint, remote_len + 1); } else { memcpy(display_text, remote_fingerprint, remote_len); memcpy(display_text + remote_len, local_fingerprint, local_len + 1); } result_displayable->display_text = display_text; complete: if(result < 0) { SIGNAL_UNREF(result_displayable); } else { *displayable = result_displayable; } return result; }
int session_cipher_decrypt_pre_key_signal_message(session_cipher *cipher, pre_key_signal_message *ciphertext, void *decrypt_context, signal_buffer **plaintext) { int result = 0; signal_buffer *result_buf = 0; session_record *record = 0; int has_unsigned_pre_key_id = 0; uint32_t unsigned_pre_key_id = 0; assert(cipher); signal_lock(cipher->global_context); if(cipher->inside_callback == 1) { result = SG_ERR_INVAL; goto complete; } result = signal_protocol_session_load_session(cipher->store, &record, cipher->remote_address); if(result < 0) { goto complete; } result = session_builder_process_pre_key_signal_message(cipher->builder, record, ciphertext, &unsigned_pre_key_id); if(result < 0) { goto complete; } has_unsigned_pre_key_id = result; result = session_cipher_decrypt_from_record_and_signal_message(cipher, record, pre_key_signal_message_get_signal_message(ciphertext), &result_buf); if(result < 0) { goto complete; } result = session_cipher_decrypt_callback(cipher, result_buf, decrypt_context); if(result < 0) { goto complete; } result = signal_protocol_session_store_session(cipher->store, cipher->remote_address, record); if(result < 0) { goto complete; } if(has_unsigned_pre_key_id) { result = signal_protocol_pre_key_remove_key(cipher->store, unsigned_pre_key_id); if(result < 0) { goto complete; } } complete: SIGNAL_UNREF(record); if(result >= 0) { *plaintext = result_buf; } else { signal_buffer_free(result_buf); } signal_unlock(cipher->global_context); return result; }